Archive

I received one of those reports by serious economists commissioned by serious security firms for serious money. You’ll know the sort I mean. They state that if only we adopt this technology, or stop those bad practices, or prevent these bad people, then we’ll create this huge amount of wealth: probably enough to pay off European and North American national debts in just a few years.

Well, with all due deference and respect: baloney. You cannot create wealth. You can print or mint money – but that’s not wealth. Money is nothing more than a promise that is continually broken through inflation and devaluation.

I want you to consider the nature of wealth, and where it comes from. It is represented by money, but it is not money. It comes from trade. But where does trade come from? It comes from surplus food production.

Think about this. If you couldn’t go to the shops to buy food, you’d have to spend your time farming, hunting or gathering. It’s only because our farmers produce more food than they need for themselves that the rest of us have time and capacity to engage in manufacturing and trade. The better we are at the trade that is allowed by surplus food, the wealthier we become. There is, therefore, a direct relationship between wealth and food surplus: in fact, wealth equals food surplus. That is, there is a finite amount of wealth in existence at any time; and it is proportionate to the food surplus produced by the farmers.

If you think I’m wrong, try this thought experiment. Think of any industry you like, and imagine it ceases to exist for a year. Will the human race survive? Now cease all food production for a year. Will the human race survive? Quite simply, nothing whatsoever can increase wealth unless it increases or improves food production, upon which all else is built.

So what are the economists on about? ‘Economy’ as a science is simply the explanation for, and sometimes the facilitation of, the redistribution of the food surplus. Adopting this new technology will not increase wealth, it will redistribute what already exists. The difficulty with this approach is that if everybody adopts the new technology, then it will redistribute nothing – everything remains the same. That doesn’t mean you shouldn’t bother with the new technology; because if you don’t and your competitors do, then they gain advantage and the redistribution of wealth is from you to them. You lose.

So this is the contradiction in economic predictions. Adopting a new technology will not create wealth for you. It might redistribute the wealth of your competitors to you if you adopt and they do not; or it might redistribute your wealth from you to them if they adopt and you do not. It’s just a carousel of fallacious wealth – and the only group virtually guaranteed to accrue other people’s wealth are the eCONomists themselves.

Rob Wainwright, director of Europol and once a leading figure in SOCA, has “briefed a Lords EU sub-committee on plans for a European cyber crime centre.”

It could operate along similar lines to America’s Internet Crime Complaint Center (IC3), a joint venture between the FBI and the National White Collar Crime Centre, which for the past 10 years has allowed victims of cyber crime to make a complaint online.
BBC: EU could turn to ‘crowd sourcing’ in cyber crime fight

But it is likely to go much further:

Europol strategic analyst Victoria Baines later explained to BBC News that the organisation was interested in eventually using a form of “crowd sourcing” to gather examples of suspected cyber crime so it could build up a fuller picture of illegal activity.

This would involve concerned net users scouring the net for possible examples of crime and reporting it, possibly through a dedicated website.

This is not my beautiful home

This scares me more than I can say. The idea that a million anoraks with a computer but no life will start a new pastime of cybernet-curtain-twitching is a little scary. Reporting a crime perpetrated against you is one thing; reporting an acquaintance who appears to be sending you pornographic material is something else. If security experts have difficulty tracking down the genuine criminals on the internet, how on earth will Joe Bloggs succeed? What will Europol’s software – you know, the stuff that seeks to find links and connections – make of a couple of false accusations, a subscription to Freeview’s adult channels, and a phone call to a friend who is the friend of someone under different surveillance, come up with?

We’ve had crowd sourcing before. The crowd was the FBI – and look what a mess the UK police made of Operation Ore:

New evidence I have gathered for my work as an expert witness in defence cases shows that thousands of cases under Operation Ore have been built on the shakiest of foundations – the use of credit card details to sign up for pornography websites. In many cases, the card details were stolen; the sites contained nothing or legal material only; and the people who allegedly signed up to visit the sites never went there.
Duncan Campbell, Guardian: Operation Ore flawed by fraud

I really hope that Mr Wainwright does not get his way in this. Crowd sourcing is no replacement for old-fashioned policing and genuine evidence. And, frankly, I don’t want to live in this Stasi-inspired shop-your-neighbour Orwellian society SOCA and Europol seem to want for us.

When I was younger, with one foot on the corporate career ladder (before I subsequently fell off, permanently) we had what I thought was an American joke: if you came into the office in the morning and your desk was bare – no phone, no computer, no nothing – you’d been sacked. But it wasn’t a joke. It was the physical effect of material de-provisioning; and a necessary part, along with the security guard escorting you off the premises, of letting people go.

Somewhere, with the evolution of the cyber office, we have forgotten the importance of de-provisioning – of cancelling online accounts, removing passwords and restricting access immediately on termination. There is a second line of defence. It’s the courts; and Bank of America has won a court injunction temporarily blocking use of its data by four ex-employees.

The problem is that this smacks rather of stable doors and horses, or genies and bottles. The courts are no alternative to adequate staff provisioning and de-provisioning. Kurt Johnson, vice president of strategy & corporate development at Courion, whose AccountCourier product does just this, comments:

This is not just another “employee gone bad” story; it’s a reminder to companies that if the proper access controls and monitoring tools are not put in place to protect sensitive data, they could suffer significant financial and operational losses.

Companies need to be one step ahead of a departing employee. In letting these staff members go, all administrative controls should have been shut off and changed immediately so that there was no opportunity to gain access to these sensitive files. Leaving even a short time gap between notice of termination and closing accounts creates vulnerabilities. For example, the Ponemon Institute has reported that 59 percent of terminated employees admitted to stealing confidential company information so the Bank of America is not alone. Implementing an automatic de-provisioning process is the only way to confidently avoid glaring lapses in security when your company’s data stores are vulnerable to attack.

Cameron, Clegg and the Coalition have been a huge disappointment to me. They came into power, with the help of my vote and a majority of the UK population, on a mandate for rolling back the authoritarian era of New Labour. It was a period of great hope. Now is a time of severe disillusion.

“Of course there is a right to protest peacefully, there always should be,” he [prime minister David Cameron] said.

He is correct. Everybody has a right to demonstrate peacefully. Nobody has a right to engage in violence other than in self-defence. So any protestors who were physically violent or damaged property need to justify their action to the courts.

I trust (a misuse of language, because I have little faith) that these policemen will also have to face the courts. If you haven’t seen the footage of the cerebral palsy sufferer being pulled from his wheelchair by the police, please watch it now.

And then, if you haven’t seen the most shameful piece of journalism I have come across in a long time, watch this interview with the wheelchair occupant.

This is not about students or even student fees. This is about freedom, liberty, the kind of Britain I want to live in, and democracy. I say to Cameron and Clegg, do not become Chaucer’s smiler. Stand up for freedom; do not complete the process started by New Labour: do not allow the UK to become a police state.

The Cloud will dominate. It’s simple economics. The Cloud offers greater efficiency at lower cost; so if your competitor is in and you are out, he wins and you lose. But concern over security is currently delaying deployment: if you don’t know where your data is, how can you secure it?

Marc Gaffan, VP Marketing, Incapsula

“One of the challenges of the Cloud,” said Marc Gaffan, VP Marketing with Incapsula, “is that you have to rely on the infrastructure that your Cloud provider offers.” And this is counter-intuitive, particularly since “most web application firewalls to date,” he continued, “have come in the form of an appliance. Typically, when you use a web application firewall, you take a physical server and attach the appliance to it, routing traffic through your physical appliance to your physical server. But when you move into the Cloud and use a Cloud provider, there is no physical rack for your physical appliance to connect to your physical server.” And it is this lack of physicality that worries us about the Cloud.

But in reality that’s because we misunderstand the nature of the internet itself. We think of the internet as some huge collection of interlinked separate computers to which we are connected, but do not belong. That misunderstands the nature of the beast. We should revisit Sun’s old motto: the network is the computer. Only now we should say: “The internet is the computer.” It is only when we start to look at the internet as just one huge multi-user amorphous computer that we will be able to harness its full potential. When we look at it like this, for example, it doesn’t really matter where the data is located.

Consider the computer on your desktop. We are accustomed to not knowing where our data is stored on this computer, because we don’t need to know. The filesystem knows. Access to our data is via the filesystem – and because of the filesystem we can still protect the data without knowing where it is situated and even though the operating system keeps moving it to different locations on the disk in our computer on the desk.

Now consider the internet. If the internet is the new computer, then DNS will be the filesystem and the service providers are the operating system (OK, loosely – don’t get too literal on me). And if the basic analogy holds, then we don’t need to know where our data is held (and will simply go mad if we try to find it and follow it), but we can still secure it via the DNS.

That’s what Marc Gaffan’s new Incapsula service does. It provides a virtual web application firewall that doesn’t care where your web is located. “In order to get the protection of Incapsula,” Gaffan explains, “all you need is control of your domain name server and five minutes. You change your DNS to route all incoming and outgoing traffic through Incapsula. From that point on, all your website visitors will first go through Incapsula, through our globally distributed network of servers, and we will proxy the traffic to you. We essentially front-end your website regardless of where it is hosted or who is hosting it, or whether you have control over that web server or not.”

This is using the Cloud and Cloud concepts to protect the Cloud. “A primary principle,” says Gaffan, “is pay as you grow. If you are a new company you can can start small; you don’t have to pay for excess capacity or provision for future growth, you just pay for what you need when you need it.”

But a second principle is collective or community strength. “By correlating information across our hundreds of customers and worldwide network of servers we create a community learning. If Incapsula sees someone doing something bad at one website; and minutes later that person goes to another website, Incapsula knows that nothing good is intended; and will instantly block access – and that correlation of experience across different Incapsula customers makes it a better service.”

This process of moving our security into the Cloud in order to protect our data in the Cloud has already started. First came spam-blocking services; then, inevitably, anti-virus products began to leverage the Cloud. Now Incapsula demonstrates the next step. “Once you get onto the Cloud, you must not be dependant on just the services that the Cloud provider offers you – you need the freedom to shop around and leverage services from other Clouds; like Incapsula. This process allows Cloud customers to take security back into their own hands, and not be forced to rely on or be constrained by the Cloud provider’s own offerings.”

Remember, the internet is the computer. You can indeed protect your data even if you don’t know where it is.

It gets better, because this is not an original comment from Cameron: it is a quite deliberate quote from US Supreme Court Justice Louis Brandeis, who said “Sunlight is the best disinfectant” when referring to openness and transparency in public policy as a condition of democracy.

So here we have both the USA and the UK (and the UK most recently, of course) stressing the value of openness in government. But what it really means is that government should be open about what it wants us to know, and secretive and dishonest about the rest.

At the moment, both the UK and USA would like us to believe that Wikileaks is endangering national security and threatening lives. Note that it is not the respective but hardly respectable governments that endanger lives by engaging in illegal wars, by furtively trying to play one country off against another, by lying to and deceiving its own electorate. No, it is not governments but Wikileaks – which, remember, has done nothing, absolutely nothing, other than tell us the truth – that is the criminal.

And on the same day that MasterCard and Visa refuse to process donations to Wikileaks; after Amazon and eBay sever ties with WikiLeaks; following the Swiss Bank closure of Assange’s account; and on the day that Assange is arrested on charges that have already been abandoned by one Swedish judge; so the US state department announces: “The United States is pleased to announce that it will host Unesco’s World Press Freedom Day event in 2011, from 1-3 May in Washington, DC.”

This is absolutely blatant bullying, probably orchestrated by the Obama Administration but with cowardice aforethought support from other toadying governments throughout the world, including I am ashamed to add, that of the United Kingdom. And we must not allow it to succeed, because it is not just Wikileaks that is at stake, it is not just Julian Assange – it is democracy that is on trial.

Anti-virus software is possibly the archetypal security product. It was the first, is the most ubiquitous and certainly the best known defence against the bad guys. But with so many high-profile malware successes (such as Stuxnet and Zeus and other botnets that comprise millions of infected computers) we need to ask ourselves if it is still up to the job. Are the bad guys winning the arms race? What are the latest developments in malware, and what is the AV industry doing to combat them? These are the questions we need to examine before answering the ultimate question: is anti-virus software still relevant?

This article was written for, first published by, and reprinted here with the kind permission ofInfosecurity Magazine.

In this article we are going to use ‘virus’ and ‘malware’ interchangeably. There is a technical difference between a virus and a worm and a trojan. But for the user, there is no meaningful difference: they are all malware and all bad for you. “The key thing to recognise,” says James Lyne, senior technologist at Sophos, “is that these things are now so inextricably linked together that this aged distinction between things like viruses, worms, trojans and spam actually doesn’t make a lot of sense at all – it’s all really just ‘bad stuff'”. For example, he explained, bots on compromised PCs are used to deliver spam that contains social engineering scams designed to trick users into visiting malicious websites that will infect the user with a trojan that opens a back door to allow in a root kit containing a keylogger and spyware. Anti-virus software doesn’t just seek to protect you from viruses – it seeks to protect you from all of this bad stuff. We’ll just call it all ‘malware’.

Current developments in malware: what are the attackers doing?

Modern malware has evolved from a demonstration of personal prowess into a serious, organised, criminal business; and is driven by the same motives as any legitimate business – a desire to maximise ROI. This explains the two primary characteristics of today’s malware: it follows the market; and is increasingly sophisticated.

Follows the market

Wherever there are large concentrations of users, there will also be malware. This explains the malware campaigns on Facebook and Twitter. But it also tells us what is likely to happen next, which will start with increasing malware for the Mac (a new Mac version of KoobFace is discovered by Intego, a Mac security specialist, as I write this article). The criminals will follow the numbers, and as the Mac and other Apple products increase in popularity, so will the criminals start to attack them. One of the biggest computing movements today is ‘mobilization’ – the growth of mobile computing using smartphones and tablets. As these markets grow, so will they attract malware. Similarly, market growth in virtual machines will lead to attacks on the hypervisor. The AV industry is aware that there are proof of concept attacks on virtual machines, but nothing has yet been found in the wild. But it will happen; and is an area where all AV companies are watching – and waiting.

James Lyne, senior technologist at Sophos

It is only with a degree of tongue in cheek that Luis Corrons, technical director of PandaLabs, comments, “We’re becoming evermore interconnected. Everything is connected to everything else – and it’s all connected to the internet. I don’t know that we’re going to install anti-virus for the fridge – but who knows.” Basically, when there are enough fridges connected to the internet, there will be fridge malware.

Technical sophistication

James Lyne described one example of the increasing sophistication in malware. “Polymorphism,” he said, “has been around for about 20 years. It’s where the malware continually changes itself to avoid detection – but it has been easy for the AV vendors to defeat it. We’d get hold of a copy, extract and analyse the engine that creates the new copies and work out all the possible future versions. That would give us generic detection for that whole polymorphic family. But today the bad guys are using server-side polymorphism where the engine is not in the malware but on legitimate business websites. Every time it is refreshed, what is downloaded is different in content to the previous download – and after a couple of hundred downloads, they kill that site and move on to another. That way none of us vendors can get hold of the engine to write any form of generic protection.”

Current developments in anti-malware: what are the defenders doing?

There doesn’t appear to be a major advance in AV technology on the near horizon. “Right now,” says David Harley, ESET research fellow & director of malware Intelligence, “it’s more a case of multiple/hybrid technologies (found in nearly any modern AV) advancing by improving individual components. Obviously, some products stress certain components more than others.”

Has the AV industry shot itself in the foot?
We’ve all seen the adverts and claims: “Our product detects 99% (or even 100%) of viruses.” And yet we still get infected. And we still hear of new viruses being missed by almost all of the AV products when tested against VirusTotal. Something is clearly wrong.
When you look at the small print, you see that what appears to be “100% of viruses in the wild” is actually “100% of viruses that are included in the WildList”: and “in the wild” and “in the WildList” are two completely different things. I don’t believe it was designed to be misleading; but it is misleading and I believe that AV companies know that it is misleading.
This might have worked ten years ago, when users were more technically naive. But today’s user can see the anomaly: and the result is a loss of trust in the AV companies that will only increase unless and until they start to be more honest in their claims. The AV marketing bods need to be more like the AV technical bods; who are far more likely to tell you how it really is.

Reputation-based classification

But probably the biggest single development has been the evolution of product-based reputation feed back (not to be confused with community-based reputation systems such as the Web of Trust). Rik Ferguson Trend Micro’s, senior security advisor, explains his own company’s reputation system. It is born out of the marriage, in the cloud, of three separate databases: bad emails, bad URLs and bad files. “Let’s take a hypothetical worst-case scenario,” he said. “You get an email from a bot that has only just been infected – and the email is well-crafted so that it looks OK. We can’t see anything wrong with it, so we allow it. In this case, email reputation has failed. The email contains a link to a malicious website that has only just been registered. Again, we don’t yet know it’s bad – so we allow you to click the link, and again the reputation system has failed. You click the link and visit the website which uses a zero-day exploit to infect you with a new trojan that the bad guys have already tested against all the AV products. We haven’t seen this trojan, so we allow you to download it – and you’re infected. Email, URL and file reputation systems have all failed. But,” he stresses, “the first thing that the trojan will seek to do is phone home, either to tell its owner that it has landed, or to download additional components. At this point we will almost certainly recognise this as suspicious behaviour and block it. We will also relay the URL source of the suspect file to TrendLabs who will download the page content and analyse it.” Instantly, the URL database and file database are updated with the new reputations. And, “if a new email comes in pointing to that URL that we now know to be suspicious, we can recognise the email as also suspicious and can add details to our email reputation system. And all of this is based on the behaviour of a file that we had previously thought was OK; and all of these new reputations are, thanks to the cloud, instantly available to all of our other customers.”

Future solutions for the malware problem

We have a choice. We can carry on as we are, trying to improve our anti-malware defences in a perpetual leapfrogging process with the bad guys – or we can think out of the box and be radical. One approach could be Trusteer’s Rapport product. It’s purpose is not primarily to find and eliminate viruses; but to specifically protect online bank transactions from malware (such as Zeus). Rapport is anti-malware; but not as we know it. Its primary purpose is to protect the browser. It doesn’t go looking for malware on your PC. Rather it defines a browser behavioural policy – and if the browser tries to behave differently, it knows that there is malware involved. “It’s like behavioural detection,” explains Amit Klein, Trusteer’s chief technology officer, “but it’s not behavioural in the sense that we monitor all the behaviour of a suspicious binary – rather we wait for the malware to come to us – for it to ‘attack’ the browser; and that’s where we stop it cold.”

Scott Charney’s Internet Health Certificate

A more radical approach could be the Internet Health Certificate proposal put forward by Microsoft’s Scott Charney (Collective Defense – Applying Global Health Models to the Internet). Charney’s idea is that we should take a lead from the World Health Organization: you may need to prove your health before you can do certain things or go to certain places. In other words, users may need a health certificate for their computers before they are allowed access to the internet. The AV industry is not generally impressed. Who says a computer is healthy? Who defines computer health. “I’d be pretty unhappy if it turned out that the health of my systems was being certified by someone whose knowledge of security wasn’t much higher than the average,” comments ESET’s David Harley. “Or even the sysadmin responsible for the Microsoft servers that are used to relay spam…”

Nor is the technical problem trivial. “The technical issue is the volume of edge cases,” continues Harley. “I don’t think a ‘just about good enough’ heuristic approach combines well with a utilitarian ‘greatest good for the greatest number’ approach, in this case.”

Rik Ferguson, senior security advisor, Trend Micro

Trend Micro’s Rik Ferguson raises a practical issue. “What happens,” he asks, “in the case of false positives? if users are incorrectly quarantined, will they be able to claim something back in lost productivity, lost purchases on eBay, or whatever it may be?”

“It’s an interesting idea,” concedes Trusteer’s Klein. “But with the current infection rates where your machine can be clean one day and infected the next, I’m worried about the implications for an ISP handling millions of customers, some of whom keep getting re-infected. In practice, I’m not sure how we can really adopt this – I’m not sure how the ISP, where the rubber meets the road, will be able to handle this under current pricing structures.”

With apparently so little going for this idea, you have to wonder how it got air time. The answer might be in Scott Charney’s title: vice president of trustworthy computing. Microsoft, of course, is a leading member of the Trusted Computing Group (TCG). The TCG has developed specifications for how to control what can and cannot run on a computer – and this can already be achieved via Intel chips (Intel is another member of the TCG) installed on the majority of the world’s PCs. So if a third-party (your company? Microsoft? Intel? Your ISP? the Government?) defines what can run on your PC for you to be allowed access to the internet, you automatically have a health certificate because nothing else, neither malware, nor pirated software, nor illegal music, nor porn, nor any new software not sanctioned by the controlling organization, is capable of running. The problem is solved. Some might say at the cost of personal freedom.

Conclusions

Some of the marketing hype around anti-virus products seems to imply that AV software is all you need to be safe. It is not. You need layers of different security. In fairness to them, none of the anti-virus technologists will suggest that AV is enough. You need to complement it with data loss prevention technologies, ID theft prevention, firewalls, URL filters and more. How will the market develop? “Slowly and painfully,” says Harley. “Customers who expect 100% success will continue to be disappointed. Pure AV will become rarer: the technology will continue to be further integrated with other defensive technologies.”

New technologies such as Rapport can help in niche areas; ideas such as trusted computing could solve the problem but at the cost of personal liberty. Now I am not the biggest fan of the way in which the anti-virus industry markets itself. But of this I am certain: we cannot, and must not try to, do without it. The anti-virus industry is not merely relevant; it is still essential.

Developments in consumer anti-virus
The biggest single development in consumer anti-virus product is the growth of the free product. Many companies now provide free online scanners – Trend Micro’s HouseCall and Symantec’s Security Check are good examples. There is also a growing number of free products you download and install on your computer: AVG and Avira are the best known. More recently Panda has launched a new free version.
Petter Lautin, Panda Security’s MD for UK and Ireland, explains the rationale: “A Morgan Stanley survey in America has shown that 46% of consumers rely on free security software, and that’s expected to increase to nearer 60%. I’d be surprised if things in Europe are very different; so that’s a fact of life we can’t ignore. Secondly, believe it or not, there are many people out there who are still not using any anti-virus product at all. For them, this is a perfect way to start because it gives you the basic anti-malware protection that everyone needs to have. From there we can start to talk about what you should have rather than must have: a firewall, ID theft protection and all sorts of things on top of that.”
ESET’s David Harley has a pragmatic view. “The economics of the marketplace, though, are that the consumer market isn’t really profitable. It costs more than some companies can afford to support those customers, measured against the profit margin. That’s why some companies make single-user licences so expensive compared to their corporate deals. So for years, the deal with free AV has been a trade-off: fewer bells and whistles and often less detection/disinfection, and restricted support (forums, but not telephone support).
There is a rider to this – there is still a dearth of free AV software for the Mac. “There is a limited number of free antivirus tools for Mac,” explains Laurent Marteau, CEO of Intego, one of the relatively few Mac AV vendors, “but they have not had a major effect on the market. With Mac antivirus software, none of the companies offering free tools have the infrastructure to find Mac malware and update their software in a timely manner.”
But expect this to change. Panda has now entered the Mac market – and I suspect it will offer a free Mac version in the future. [And since this was written, see: Sophos launches free Mac anti-virus for home users].